[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
8 u" y6 H! Z! L9 T' o/ j. j
Keyboard Interrupt Hook using I/O APIC

By: chpie
, O& L/ A5 M: tKeyboard Interrupt Hooking by manipulating the I/O APIC
6 N. ^8 `% I. r: O! p. ]- @& Rtested on the winXP, Pentium D Hyper-threading Enabled.
# ^$ `+ V3 N: b
2 \) ?  F& k% J( `7 Z9 @
( i. K( }; L' M- oSummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
* l9 Q: y" e" Kthe interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

9 c- r$ m( P# ~0 k- It is higher priority of the hooking than the direct
8 V* K" F3 M5 @+ F8 W2 C/ Mmodification of the I/O APIC's vector.
' f" h7 M  A2 a- The vector can be hidden on the thread getting the keyboard
9 K9 k5 }) U# w7 Fvector from the I/O APIC.
2 {8 k; E) @6 q4 l- e
Flow ::
6 I, b, o# a' q+ f. L6 x, N5 ^& y3 J9 }
5 V; c9 W! |2 B0 S( u+ v1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
. @2 p* }9 W( @3 C3 `- S6. The processor Assert the INTA signal.
: V/ P: b6 g1 n  u" L0 g9 s* |0 W+ ]7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
! I3 V2 ~3 f6 L7 gfor ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
, y  m+ V+ E& m' N& U12. our interrupt handler executed.

* c, W* b' c' b" E0 I8 B
) M! Z) z, O4 D. Q3 J/ s% Osourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip